xloader | ce11e96fe93545cd9d381c440d7e172eebfe7c0e177c6485216313b144c415a3

General

Target

Shipping Documents.xlsx
Size

2.2MB
MD5

ab599dc3956c9e72ad6187bca6d7d783
SHA1

c06939ab8436da2f3c37d0cece53837960943d19
SHA256

ce11e96fe93545cd9d381c440d7e172eebfe7c0e177c6485216313b144c415a3
SHA512

a28926991314329da86c8e76caeb0793c1f495733fdd5d61347eba55e0e65cdea3a9a02c23d0f912c86429228ab0eef9e010f8cd64dfbccacd5bc7f234d86cb2

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.autotrafficbot.com/evpn/

Decoy

memoriesmade-l.com

babypowah.com

usinggroovefunnels.com

qapjv.com

kp031.com

kinfet.com

markmalls.com

keithforemandesigns.com

fydia.com

jesussaysalllivesmatter.com

sarachavesportela.com

standerup.com

monthlywifi.com

productsoffholland.com

newbieadvice.com

globalnetworkautomation.com

theholisticbirthco.com

physicalrobot.com

thesouthernhomesellers.com

teamcounteract.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/868-19-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/756-25-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 3 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 316 EQNEDT32.EXE
8 316 EQNEDT32.EXE
10 316 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

848 vbc.exe
868 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exe

pid process

316 EQNEDT32.EXE
316 EQNEDT32.EXE
316 EQNEDT32.EXE
848 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
6	316	EQNEDT32.EXE
8	316	EQNEDT32.EXE
10	316	EQNEDT32.EXE

pid	process
848	vbc.exe
868	vbc.exe

pid	process
316	EQNEDT32.EXE
316	EQNEDT32.EXE
316	EQNEDT32.EXE
848	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exeipconfig.exe

description	pid	process	target process
PID 848 set thread context of 868	848	vbc.exe	vbc.exe
PID 868 set thread context of 1268	868	vbc.exe	Explorer.EXE
PID 756 set thread context of 1268	756	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

756 ipconfig.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

316 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
756	ipconfig.exe

pid	process
316	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1740 EXCEL.EXE

pid	process
1740	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

vbc.exeipconfig.exe

pid	process
868	vbc.exe
868	vbc.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exevbc.exeipconfig.exe

pid process

848 vbc.exe
868 vbc.exe
868 vbc.exe
868 vbc.exe
756 ipconfig.exe
756 ipconfig.exe

pid	process
848	vbc.exe
868	vbc.exe
868	vbc.exe
868	vbc.exe
756	ipconfig.exe
756	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exeExplorer.EXEipconfig.exe

description	pid	process
Token: SeDebugPrivilege	868	vbc.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	756	ipconfig.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1740 EXCEL.EXE
1740 EXCEL.EXE
1740 EXCEL.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1740	EXCEL.EXE
1740	EXCEL.EXE
1740	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 316 wrote to memory of 848	316	EQNEDT32.EXE	vbc.exe
PID 316 wrote to memory of 848	316	EQNEDT32.EXE	vbc.exe
PID 316 wrote to memory of 848	316	EQNEDT32.EXE	vbc.exe
PID 316 wrote to memory of 848	316	EQNEDT32.EXE	vbc.exe
PID 848 wrote to memory of 868	848	vbc.exe	vbc.exe
PID 848 wrote to memory of 868	848	vbc.exe	vbc.exe
PID 848 wrote to memory of 868	848	vbc.exe	vbc.exe
PID 848 wrote to memory of 868	848	vbc.exe	vbc.exe
PID 848 wrote to memory of 868	848	vbc.exe	vbc.exe
PID 1268 wrote to memory of 756	1268	Explorer.EXE	ipconfig.exe
PID 1268 wrote to memory of 756	1268	Explorer.EXE	ipconfig.exe
PID 1268 wrote to memory of 756	1268	Explorer.EXE	ipconfig.exe
PID 1268 wrote to memory of 756	1268	Explorer.EXE	ipconfig.exe
PID 756 wrote to memory of 1620	756	ipconfig.exe	cmd.exe
PID 756 wrote to memory of 1620	756	ipconfig.exe	cmd.exe
PID 756 wrote to memory of 1620	756	ipconfig.exe	cmd.exe
PID 756 wrote to memory of 1620	756	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1620

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Command-Line Interface

1

T1059

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
f818665dd48a93c48255d3ceadf92a6e

SHA1
2567c8a3e1a3e3e98782ea8d0d117518ccd4291b

SHA256
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

SHA512
ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c

Download Submit
C:\Users\Public\vbc.exe
MD5
f818665dd48a93c48255d3ceadf92a6e

SHA1
2567c8a3e1a3e3e98782ea8d0d117518ccd4291b

SHA256
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

SHA512
ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c

Download Submit
C:\Users\Public\vbc.exe
MD5
f818665dd48a93c48255d3ceadf92a6e

SHA1
2567c8a3e1a3e3e98782ea8d0d117518ccd4291b

SHA256
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

SHA512
ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi250F.tmp\i9y7dp4bi0ysdq.dll
MD5
41f5d6cadd673464980f0835b0801d4d

SHA1
6753c31b14c5cfa9f3bcf8d05db35554be80ba68

SHA256
491ab0be0c90490bdc145350f86ed973c715dc2f9236d0beb1a7e6ef8d04a4e8

SHA512
d61d598894350c5497db9419678ca63705e64f3b4368da1675acd8e7ddf141b6c6d6ccc0ac821cf07f3464a2285df95617e4a7bc1a8390cb46567d360b645210

Download Submit
\Users\Public\vbc.exe
MD5
f818665dd48a93c48255d3ceadf92a6e

SHA1
2567c8a3e1a3e3e98782ea8d0d117518ccd4291b

SHA256
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

SHA512
ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c

Download Submit
\Users\Public\vbc.exe
MD5
f818665dd48a93c48255d3ceadf92a6e

SHA1
2567c8a3e1a3e3e98782ea8d0d117518ccd4291b

SHA256
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

SHA512
ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c

Download Submit
\Users\Public\vbc.exe
MD5
f818665dd48a93c48255d3ceadf92a6e

SHA1
2567c8a3e1a3e3e98782ea8d0d117518ccd4291b

SHA256
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92

SHA512
ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c

Download Submit
memory/316-5-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/756-22-0x0000000000000000-mapping.dmp

Download
memory/756-25-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/756-27-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/756-24-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/756-28-0x00000000008C0000-0x000000000094F000-memory.dmp

Filesize
572KB

Download
memory/848-10-0x0000000000000000-mapping.dmp

Download
memory/848-17-0x00000000008E0000-0x00000000008E2000-memory.dmp

Filesize
8KB

Download
memory/868-15-0x000000000041D0C0-mapping.dmp

Download
memory/868-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/868-20-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/868-18-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1268-21-0x0000000006030000-0x0000000006174000-memory.dmp

Filesize
1.3MB

Download
memory/1268-29-0x0000000006180000-0x00000000062FA000-memory.dmp

Filesize
1.5MB

Download
memory/1620-26-0x0000000000000000-mapping.dmp

Download
memory/1740-2-0x000000002FC31000-0x000000002FC34000-memory.dmp

Filesize
12KB

Download
memory/1740-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1740-3-0x00000000715E1000-0x00000000715E3000-memory.dmp

Filesize
8KB

Download
memory/1748-6-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads